BlackCat : New Rust based ransomware borrowing BlackMatter’s configuration

S2W
S2W BLOG
Published in
4 min readDec 10, 2021

Author: TALON | S2W
Last modified: 12/10/2021

1. What is BlackCat Ransomware

1.1. New ransomware based on Rust

MalwareHunterTeam on Twitter mentioned BlackCat as the new Rust-based ransomware on 12/09/2021.

  • Ransom note
  • Why Rust?

Rust is a multi-paradigm programming language, developed by Mozilla in 2010, which is aimed at achieving higher performance and better safety levels in comparison to C++. Rust has been Stack Overflow’s most loved language for five years in a row. For this reason, malware developers are also probably trying to develop malware using Rust.

In fact, Rust-based MaaS(Malware-as-a-service) such as RustyBuer and FickerStealer has been appearing on the Deep and Dark web.

1.2. Borrow BlackMatter’s configuration

BlackCat ransomware performs malicious actions by referring to the internal configuration like other RaaS ransomware.

However, we have confirmed the values of the following BlackCat’s configuration fields completely match BlackMatter’s.

  • kill_services
  • kill_processes
  • exclude_directory_names
  • exclude_file_names
  • exclude_file_extensions

and the configuration field like “credentials” is also used by BlackMatter V1 and Darkside. In this field, it includes the victim’s domain credentials.

1.3. Different from BlackMatter

After comparing BlackCat and BlackMatter, we found it difficult to conclude that they are the same group.

1) Too similar

When Darkside, known to be used by the FIN7 group, was rebranded to BlackMatter, it did not use the same configuration.

2) Based on Rust

The BlackCat ransomware is based on Rust programming language. However, both DarkSide ransomware and BlackMatter were written in C/C++.

3) Too soon

It’s too soon for BlackMatter to have rebranded as BlackCat ransomware using a different programming language, Rust.

  • Darkside: from August 2020 to May 2021
  • BlackMatter: from August 2021 to November 2021
  • BlackCat: from Late November (PE timestamp based)

4) Lots of execution options

Unlike Darkside and BlackMatter, which used two or three options, BlackCat ransomware supports various options.

5) Leak site

When accessing the DarkSide and BlackMatter ransomware negotiation sites, the key was needed to enter in the negotiation page, but in the case of BlackCat, the access key is used as a GET parameter and no input box is displayed on the page. In addition, BlackCat has added a private leak site, probably a pre-published leak site.

2. The negotiation site and leak sites

Five onion domains used by BlackCat have been identified so far. They are currently categorized as the negotiation site, public leak site, private leak site, and seem to use favicons on the same site. It seems that they initially operated a private preview page, and then moved it to the Alphv leak site. (Unfortunately, private leak site was not accessible at the time)

2.1. Alphv leak site

Two victims were posted on the Alphv leak site recently.

2.2. Two victims on the Alphv leak site seems to be attacked by the BlackCat ransomware

We have confirmed that the configuration within the BlackCat ransomware contains the victim’s credentials.

We also have confirmed that the victim was included in the filename of the BlackCat ransomware posted to the leak site during the analysis.

3. Activities

We have analyzed their recent activities and it seems to have been active since November.

3.1. Timeline

3.2. Looking for pentesters and affiliates

​​The BlackCat ransomware operator has been using the “alphv” as a username in XSS and Exploit, but using “ransom” as a username in RAMP forum.

[Exploit forum] We are looking for WINDOWS / LINUX / ESXI pentesters

  • Posted on 12/04/2021

[RAMP forum] ALPHV-ng RaaS new generation.

  • Posted on 12/09/2021

3.3. Warning messages posted on Alphv

  • After information about the BlackCat ransomware and Alphv leak site was revealed on Twitter, they deleted all information of both two victims and added their warning message on Alphv leak site.

--

--

S2W
S2W BLOG

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.